Back to overview

CVE-2026-48359

CRITICAL
9.6
CVSS 3.1
Description
Adobe Experience Manager is affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution in the context of the current user. A low-privileged attacker could exploit this vulnerability to read sensitive files, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

Metadata

CVE ID
CVE-2026-48359
State
PUBLISHED
Assigner
adobe
Reserved
2026-05-21 15:28 UTC
Published
2026-07-14 19:21 UTC
Last updated
2026-07-14 19:36 UTC
Primary CWE
CWE-611
Improper Restriction of XML External Entity Reference ('XXE'…
Vendor / Product
Adobe / Adobe Experience Manager as a Cloud Service
Sources
cve.org  ·  NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected products (3)
VendorProductPlatformVersions
Adobe Adobe Experience Manager 6.5 0 ≤ 6.5.24, 6.5.25 - Hotfix for NPR-43972
Adobe Adobe Experience Manager 6.5 LTS 0 ≤ SP1, SP2 - Hotfix for NPR-43972
Adobe Adobe Experience Manager as a Cloud Service 0 ≤ 2026.5.0, 2026.6.0
Weakness (CWE)
CWESourceDescription
CWE-611 cna Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.6 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Back to overview